[workflows] read-only permissions for GITHUB_TOKEN in all flow

Setting read-only permission for all scopes for the GITHUB_TOKEN used in all remaining workflows. This is a part of adopting security best practices of the OpenSSF based on the ScoreCard tool [1] [1] https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions Signed-off-by: Georg Kunz <georg.kunz@ericsson.com>
Ericsson · Aug 23, 2023 · 27656fb · 27656fb
1 parent 7033989
commit 27656fb
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 0 deletions.
diff --git a/.github/workflows/config_coverage.yml b/.github/workflows/config_coverage.yml
@@ -21,6 +21,8 @@ on:
   # Allow running this job manually from either API or GitHub UI.
   workflow_dispatch:
 
+permissions: read-all
+
 jobs:
   checker-config-coverage:
     name: "Config coverage of checkers"

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -5,6 +5,8 @@ on:
   release:
     types: [published]
 
+permissions: read-all
+
 jobs:
   main:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml
@@ -6,6 +6,8 @@ on:
   release:
     types: [published]
 
+permissions: read-all
+
 jobs:
   build:
     name: Build pypi package

diff --git a/.github/workflows/snap.yml b/.github/workflows/snap.yml
@@ -5,6 +5,8 @@ on:
   release:
     types: [published]
 
+permissions: read-all
+
 jobs:
   build:
     name: Build snap package